Errata
New CIFSwitch Linux flaw gives root on multiple distributions - Some distributions Manizada confirms as vulnerable with their default configurations are:
- Linux Mint 21.3 / 22.3
- CentOS Stream 9
- Rocky Linux 9
- AlmaLinux 9
- Kali Linux 2021.4–2026.1
- SLES 15 SP7
FBI: Crooks enter legal offices and steal data via USB drive - It also warned last year that the callback phishing specialists had started physically walking into the law firms’ offices when remote social engineering attempts go south. The FBI’s latest advisory reaffirms these findings, with fresh attacks reported in Spring 2026.
Privacy
Troops’ phones leaked location data to foreign adversaries - Senator Ron Wyden (D-OR), Representative Pat Harrigan (R-NC), and a dozen other Congress critters sent a letter to DoD CIO Kirsten Davies on Thursday, demanding a change in smartphone security posture among US military branches. Included in the letter is what lawmakers describe as the first public confirmation that commercial location data has been used to target or surveil American troops in active war zones. The information was shared with Wyden’s office in April. Additional reporting: US says troops were targeted with location data, as senator warns ad industry is a ’national security threat’ | TechCrunch Historical reporting from 2018: Strava Data Heat Maps Expose Military Base Locations Around the World | WIRED
Websites have a new way to spy on visitors: Analyzing their SSD activity - Ars Technica - By measuring the timing of certain I/O (input-output) operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs—even on other browsers—and the apps that were open on the visitor’s device. FROST requires no interaction from the visitor other than opening the site hosting the attack.
Cities Are Covering Flock Cameras With Trash Bags - The city of Dayton, Ohio has covered its Flock automated license plate reader cameras with black trash bags in part because police there are unsure whether the cameras are still active and the city also doesn’t seem to know whether it is allowed to take the cameras down. The move comes after months of resident outrage, a scandal in which the city was sharing Flock camera data for immigration enforcement apparently on accident, and a $30,000 audit into how the cameras are being used.
We Sued ICE to Get Its Spyware Contract. The Agency Is Redacting Essentially Everything - The vast majority of the documents it has provided so far are heavily redacted, and it is still withholding information in the public interest that would more fully explain why the agency wanted to buy such a potent and controversial surveillance tool.
Author’s Note: Referenced in the article is a quote from Lyons claiming that they bought the spyware to stop the importation of Fentanyl. Readers should remember Trump Admin recently pardoned the fmr. President of Honduras Juan Orlando Hernandez for importing more drugs into the country than Pablo Escobar. Office of Public Affairs | Juan Orlando Hernández, Former President of Honduras, Indicted on Drug-Trafficking and Firearms Charges, Extradited to the United States from Honduras | United States Department of Justice
ICE awards Bi2 $25M contract for 1,570 biometric scanners - According to a largely unreported contract summary published last week by ICE parent agency the Department of Homeland Security, US immigration cops have doled out about $25.1 million to a company called Bi2 Technologies for 1,570 biometric recognition devices able to identify people through fingerprints, iris scans, and facial recognition.
Development Risks
Dozens of Red Hat packages backdoored through its official NPM channel - Ars Technica - “Organizations should treat any system that installed one of the affected @redhat-cloud-services package versions as potentially compromised,” Socket researchers wrote. “The payload executes during npm install, before application code imports or uses the package, so exposure depends on installation or CI execution, not runtime use.” Additional reading: Shai-Hulud malware infects Red Hat npm packages downloaded 80K times weekly
Malicious npm Package Stole Files From Claude AI User Directory via GitHub - In reality, however, it authenticates to GitHub during the postinstall stage, either using a GitHub access token found in the victim’s environment or a hard-coded token as a fallback, checks whether a target repository exists, and if not, creates it, and then recursively uploads every file to a threat actor-controlled GitHub account.
Fed up with vibe coders, dev sneaks data-nuking prompt injection into their code - Ars Technica - “The chosen string instructs the agent to delete jqwik tests and code—a maximally destructive instruction with no qualifications, no opt-out, and no ‘warn the user first’ preamble,” Batllet wrote. “If a less-robust agent had followed it on a real consumer machine, the outcomes range from inconvenient to severe.”
Author’s Note: JQWik is a free and open source software. Presented with no guarantees. Users beware, and use at your own risk.
A Tale in Three Parts
Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal - The development comes after a researcher named Chaotic Eclipse (aka Nightmare-Eclipse) disclosed details of multiple zero-day vulnerabilities affecting various Windows components, including Defender and BitLocker, over the past month, citing a breakdown in Microsoft’s handling of the vulnerability disclosure process.
Microsoft also threatened to involve law enforcement. “Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”
Microsoft Statement - https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure
Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump - “When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” they wrote on Saturday. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.”
Microsoft reaches for olive branch after public dustup with 0-day researcher - In a statement published on Monday, Redmond said it has “no intention to pursue action against individuals conducting or publishing security research”, a noticeably softer position than the one it adopted just days earlier when it condemned a string of public vulnerability disclosures and invoked its Digital Crimes Unit.
Microsoft reaches for olive branch after public dustup with 0-day researcher - What’s more, if Microsoft’s goal was to isolate Nightmare-Eclipse, that may not be going entirely to plan. The researcher claimed over the weekend that other researchers had begun handing over vulnerabilities following Microsoft’s response, including an alleged flaw dubbed “Bitskrieg” that breaks Secure Boot trust guarantees and bypasses BitLocker. Nightmare-Ecipse said the bug will be released “sometime in June”.
Charter Breach
Charter confirms data breach after ShinyHunters extortion threat - According to the threat actor, the stolen records contain customer names, email addresses, addresses, phone numbers, phone type, plan information, and some CPNI data. The threat actor also claims to have stolen customer support ticket data.
Charter Communications data breach affects 4.9 million accounts - The threat actors claimed they used this access to steal 42 million records from the company’s Salesforce instance, including consumer and business customer names, email addresses, physical addresses, phone numbers, phone types, plan information, support ticket data, and some CPNI data.
Artificial Intelligence
Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked - The “Method” described by the channel is simple: “VPN to match the target account country region > Reset password > Ask for more help > Chat with AI > Ask AI to switch email for you.” That account originally posted in Telegram about the vulnerability at the end of March.
New Study Reveals the Manipulative ‘Dark Patterns’ of AI Chatbots - Longer story short, these bots are designed to prey on humans. Made to make you feel comfortable, make you share data, make you stay talking. Many cause mental health crises.
Author’s Note: The onset of schizophrenia typically occurs in late adolescence to early adulthood, generally between ages 16 and 30. It usually begins earlier in males (late teens to early 20s) than in females (late 20s to early 30s)
Amazon Shuts Down Internal AI Leaderboard After Employees Cheated - “Honestly, iterating on that and maximizing the throughput was the most fun I’ve had at work,” this employee said. “I also do not think I was the only one gaming the system to make the number go up. My manager’s tone in that meeting made me think there were some internal discussions about the program driving waste.”
"When a measure becomes a target, it ceases to be a good measure" - Goodhart's Law
ChatGPT prompt injection turns web pages into phishing lures -
“AI systems increasingly render untrusted content directly inside browsers, which expands risk significantly,” he told us. “The bigger issue is that AI products are starting to resemble browser or operating system environments, which creates a much larger security surface.”
AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites - It all begins when users search for trusted system utilities and hardware-monitoring software on search engines, which surface malicious sites that have been gamed via techniques like search engine optimization (SEO) poisoning. Subsequent iterations observed in April 2026 indicate that users are being directed to these sites not through search engine results, but rather via interactions with large language model (LLM)-based tools.
War
Dutch government blocks US company from acquisition, citing ‘risk to public interest’ | TechCrunch - The deal would have allowed Kyndryl to buy Solvinity for an undisclosed sum. Solvinity hosts a platform called DigiD, a service managed by the Dutch government that allows the country’s residents to verify their identity when accessing public services.
Putin sends submarines to survey Britain’s subsea cables. UK deploys Royal Navy, mobilizes parliamentary draftsmen - “Their mission was to survey our cables in peacetime, so they could more easily sabotage them in a conflict,” Lloyd said in a speech delivered at the Royal United Services Institute (RUSI). “They wanted this operation to be secret, but they failed.”
Iranian hackers blamed for breach of Los Angeles transit system that took weeks to recover | TechCrunch - A hacktivist group calling itself Ababil of Minab claimed responsibility for the earlier hack, saying they stole, then deleted data from the LACMTA’s systems. The group’s name is a reference to the U.S. air strike on an Iranian school in the city of Minab that killed more than 175 people, mostly children.
New Russia-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks -